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Introduction 


The Information Commissioner is producing a direct marketing code 
of practice, as required by the Data Protection Act 2018. A draft of 
the code is now out for public consultation. 


The draft code of practice aims to provide practical guidance and 
promote good practice in regard to processing for direct marketing 
purposes in compliance with data protection and e-privacy rules. 
The draft code takes a life-cycle approach to direct marketing. It 
starts with a section looking at the definition of direct marketing to 
help you decide if the code applies to you, before moving on to 
cover areas such as planning your marketing, collecting data, 
delivering your marketing messages and individuals rights. 


The public consultation on the draft code will remain open until 4 
March 2020.The Information Commissioner welcomes feedback on 
the specific questions set out below. 


You can email your response to directmarketingcode@ico.org.uk 


Or print and post to: 


Direct Marketing Code Consultation Team 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire SK9 5AF 


If you would like further information on the consultation, please 
email the Direct Marketing Code team. 


Privacy statement 


For this consultation we will publish all responses received from 
organisations except for those where the response indicates that they 
are an individual acting in a private capacity (e.g. a member of the 
public). All responses from organisations and individuals acting in a 
professional capacity (e.g. sole traders, academics etc.) will be 
published but any personal data will be removed before publication 
(including email addresses and telephone numbers). 


For more information about what we do with personal data please see 
our privacy notice 


Q1 Is the draft code clear and easy to understand? 


Yes 
No 


If no please explain why and how we could improve this: 


Overall the layout is very clear and straightforward to understand, and the language is easy to 
read and interpret. It is relatively easy to navigate around the document. 


The use of examples and case studies is very helpful, and it is good to see several which 
relate to charitable organisations. 


However, several of the examples feel prescriptive and give ICO opinion rather than a 
statement of the law. This may encourage charities to go “the ICO way” (this feels slanted 
towards consent), rather than be confident in their own interpretation of the law and their 
legitimate interest assessment. 


Q2 Does the draft code contain the right level of detail? (When 
answering please remember that the code does not seek to 
duplicate all our existing data protection and e-privacy guidance) 


Yes 
x! No 


If no, please explain what changes or improvements you would like to 
see? 


In general, the level of detail is right but there are two specific areas to mention where more 
detail would be helpful. 


bocial Media: Social media platforms have been addressed as a whole, but the range of social 
media activities is wide. Consent for everything to do with social media seems too broad. For 
example, if a supporter has a relationship with a charity and also with Facebook, they will 
reasonably expect the charity to appear in their newsfeed. (Assuming of course that this would 
be in the privacy policies). More detail relating to individual channels would be helpful. 


Children (p43) 

It would be helpful to provide a definition of a ‘child’. Different regulations have different age 
thresholds, which can be quite confusing. E.g. at one charity the Data Protection Office have 
recently advised that while GDPR has special protections in for people aged 16 and below for 
ISS (which the UK has lowered to 13), the ICO consider anyone under 18 to be a child. 


Q3 Does the draft code cover the right issues about direct marketing? 


Yes 
No 


If no, please outline what additional areas you would like to see 
covered: 


Profiling — there is reference to “intrusive” profiling without clarity on what that is. This para. 
On p.58 give a very negative view of profiling as does the general tone of the profiling section 
which seems to suggest that any profiling is high risk. Some more specific clarity and detail 
would be helpful. 


Lawful basis (p31) 
The ‘good practice recommendation’ of using consent for all direct marketing is unhelpful in 


this instance. 


Elsewhere the ICO have emphasised that no one lawful basis is inherently better than others 
and have been clear to note that consent is not a ‘silver bullet.’ 


This kind of guidance muddies the waters and it would be much more helpful if the advice was 
consistent. 


Q4 Does the draft code address the areas of data protection and e- 
privacy that are having an impact on your organisation’s direct 
marketing practices? 


Yes 


O No 


If no, please outline what additional areas you would like to see covered 


Comment relating to impact: 

The code suggest that running names through the National Change of Address register is not 
bossible — even when this is clearly stated in a privacy policy — and when the individual has 
agreed with Royal Mail for this to take place — as | don’t believe that the Royal Mail COA 
aptures consent for direct marketing redirection (as per para 2), p.61. This will have a negative 
impact on fundraising. 


Clarity on this would be helpful and also please note the negative impact of this direction. 


Q5 Is it easy to find information in the draft code? 


x] 


Yes 
No 


If no, please provide your suggestions on how the structure could be 
improved: 


Q6 Do you have any examples of direct marketing in practice, good or bad, 
that you think it would be useful to include in the code 


Yes 
No 


If yes, please provide your direct marketing examples : 


We would welcome more examples in addition to those already included and this would 
add to the practical usability of the guide. 


Q7 Do you have any other suggestions for the direct marketing code? 


Working with third parties (p27) 

The example (of the supermarket sending emails about a charity) creates more confusion 
rather than clarifying the guidance. The last sentence about screening against the 
charity’s suppression list seems to contradict earlier bits of the example where it states 
that the supermarket is not passing its customers’ details to the charity. Either that, or 
it’s suggesting the charity will share its suppression list with the supermarket. It’s very 
ambiguous which is unhelpful and based on the guidance in this document and elsewhere, 
sharing data between organisations for any reason is not to be taken lightly, so further 
guidance on this particular point would be valuable. 


It reads as if it is suggesting that a supermarket would need to have specific consent to 
contact their customers about a particular charity, which has significant implications - so 
guidance on what constitutes ‘appropriate consent’ would be invaluable here. As is stands 
there is too much room for different interpretations of the example. 


Social Media (p90) Question the basis/evidence that individuals are unlikely to 
expect that processing takes place. 


With such statements there should be evidence which supports this claim as it feels too 
heavily based upon opinion. An alternative view would be that individuals would in fact 
expect their data to be used for targeting on social media platforms. 


A comment from one of our Forum members on this section is as follows: 

There has been a great deal of media attention on Facebook in particular and on this 
basis, I think the general public are quite aware of how such companies tend to use 
personal data. That is not to say that people are comfortable with it, but I think to say 
they wouldn't expect it is at best one perspective, at one end of the scale, and worst 
hyperbole, and I think it undermines the otherwise helpful guidance in this section. Linked 
to this, I am concerned that there is such a strong statement about how it is ‘difficult to 
see how it would meet the three-part test of the legitimate interest’s basis.” This has 
significant implications but is not expanded on here. I doubt many organisations are 
currently using consent as their lawful basis for this activity, so this would represent a 
fairly major shift how organisations work in this area, and robust guidance on this would 
be extremely helpful. 


About you 


Q8 Are you answering as: 


O An individual acting in a private capacity (e.g. 
someone providing their views as a member of the 
public) 

O An individual acting in a professional capacity 

O On behalf of an organisation 

X Other 


Please specify the name of your organisation: 


a 


If other please specify: 


Response on behalf of the Fundraising and Regulatory Compliance Forum, a group of 9 
medium and large charities. 


Q9 How did you find out about this survey? 


ICO Twitter account 

ICO Facebook account 

ICO LinkedIn account 

ICO website 

ICO newsletter 

ICO staff member 

Colleague 

Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 

If other please specify: 


PE SE 


Thank you for taking the time to complete the survey 
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